Solved: Splunk Enterprise Security: Why is the Notable Eve...

mparks11 · ‎12-15-2016

Hi there,

Just noticed that the Notable Event Suppressions page in Splunk Enterprise Security (Configure --> Incident Management --> Notable Event Suppressions) is only showing 30 out of over 300 suppressions. I can view suppressions under Settings --> Event types in the Web UI, see them in SA-ThreatIntelligence/local/eventtypes.conf, and can see that they're being applied where appropriate.

We recently upgraded to ES 4.1.3 from 4.0.1, so maybe this is somehow related to the upgrade?

Was hoping someone else was seeing something similar and could guide me towards a root cause. Thanks in advance.

LukeMurphey · ‎12-15-2016

This is a known issue that was fixed in 4.5.1. I recommend reaching out to Support to get a workaround for your system.

View solution in original post

LukeMurphey · ‎12-15-2016

This is a known issue that was fixed in 4.5.1. I recommend reaching out to Support to get a workaround for your system.

mparks11 · ‎01-25-2017

To increase the number of supressions displayed to the ui edit:
$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/appserver/static/js/collections/NotableEventSuppressions.js (line 14):

url: "alerts/suppressions",

change it to:

url: "alerts/suppressions?count=-1",

Then _bump the version up one. This will work pending an ES 4.5.1 upgrade.

mparks11 · ‎12-15-2016

OK, thanks for the heads up. Will do!

Splunk Enterprise Security: Why is the Notable Event Suppressions page showing only 30 out of over 300 Suppressions?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases